| imap authentication on frontend [message #121172] |
Fri, 08 May 2015 17:50  |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
hello,
When I configure an imap account with the frontend as server, I can't authenticate.
I find this message in the logs: (xxx.xxx.xxx.xxx is the backend's IP)
May 8 16:04:53 kerio-frontend proxy: 2015/05/08 16:04:53 [error] 1909#0: *82 auth http server xxx.xxx.xxx.xxx:80 did not send server or port
while in http auth state, client: yyy.yyy.yyy.yyy, server: 0.0.0.0:143, login: "ron@mydomain"
There is this line in the auth_http.conf file:
auth_http xxx.xxx.xxx.xxx:80/auth;
But I obtain a 403 error when I tried http :// xxx.xxx.xxx.xxx:80/auth.
How the frondend can authenticate if the backend's auth url doesn't exist?
Thanks
[Updated on: Fri, 08 May 2015 17:51] Report message to a moderator |
|
|
|
| Re: imap authentication on frontend [message #121193 is a reply to message #121172] |
Mon, 11 May 2015 08:36  |
Jakub Schwarzmeier, Kerio
Messages: 42
Registered: June 2010
|
|
|
|
Hi,
The information returned by backend on "/auth" url cannot be displayed in a web browser as there are some special HTTP headers introduced by frontend when doing auth stuff on that url.
You can look what happens inside the backend when resolving "/auth" url and which makes frontend unhappy:
Go to a http://xxx.xxx.xxx.xxx/admin. In Administration, go to Logs, Debug, and enable HTTP Server logs. Now try to make an IMAP connection to the frontend and let's see what happens on the backend on "/auth" url.
You should find an entry starting with "Search request for users home server" string in the HTTP Server log that should reveal what is the issue.
Will be interested in your findings.
Jakub
|
|
|
|
| Re: imap authentication on frontend [message #121194 is a reply to message #121172] |
Mon, 11 May 2015 11:16 |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
Hi,
Thank you for your response.
The result obtained in the test on the back-end server:
[11/May/2015 10:54:04] {https} Task 291 handler BEGIN
[11/May/2015 10:54:04] {https} Task 291 handler starting
[11/May/2015 10:54:04] {https} HTTP connection from yyyy.yyyy.yyyy.yyyy:34894 started
[11/May/2015 10:54:04] {https} GET request for URI /auth
[11/May/2015 10:54:04] {https} User-Agent header:
[11/May/2015 10:54:04] {https} Search request for user home server is not allowed from the client ip address.
[11/May/2015 10:54:04] {https} Response: HTTP/1.1 403 Forbidden
[11/May/2015 10:54:04] {https} Request finished in 0.00 s, received 172 bytes, sent 255 bytes
[11/May/2015 10:54:04] {https} Task 291 handler END
The result is weird because in aministration console any addresses are allowed in the back-end Server.
IP Font-end Server : yyy.yyy.yyy.yyyy
Thanks
|
|
|
|
| Re: imap authentication on frontend [message #121196 is a reply to message #121194] |
Mon, 11 May 2015 13:41 |
Jakub Schwarzmeier, Kerio
Messages: 42
Registered: June 2010
|
|
|
|
For frontend-to-backend connections, there is a special IP group defined on backend. Only members of this group are allowed to get response for "/auth" url request.
Having mailserver process stopped, you should check Http table in mailserver.cfg, where "FrontendNetwork" variable is of interest. The value of this variable is the name of group of IP addresses, for which the request on "/auth" will be fulfilled by the backend.
E.g.
<table name="Http">
...
<variable name="FrontendNetwork">Front-end nodes</variable>
</table>
<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.255.255.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>
Content of the Http and IpAccessList tables have to be the same on all backends.
[Updated on: Mon, 11 May 2015 13:41] Report message to a moderator |
|
|
|
| Re: imap authentication on frontend [message #121198 is a reply to message #121172] |
Mon, 11 May 2015 14:53 |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
That's the problem
My front-end IP is in the range "Front-end nodes"
<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>
<table name="Http">
....
<variable name="FrontendNetwork">Front-end nodes</variable>
</table>
But server continu with log :
Search request for user home server is not allowed from the client ip address.
Do you know where is file "auth" on the backend server ?
I would see rules or something to understand error :/
|
|
|
|
| Re: imap authentication on frontend [message #121199 is a reply to message #121198] |
Mon, 11 May 2015 15:27 |
Jakub Schwarzmeier, Kerio
Messages: 42
Registered: June 2010
|
|
|
|
You have two members in a single "Front-end nodes" group. Both members have GroupGuid = a74ee767-03cc-4001-a885-aa4b19d5d1ea.
That is correct.
But both members of the group have the same Guid, meaning that these individuals are identical, ie. only a single one of them is required to be used.
This is not what you want, I guess.
Change Guid in one of the members to make it look like, e.g.:
<list name="IpAccessList">
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">db0ba000-f7e0-11e4-a322-1697f925ec7b</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">9fb4cc45-6836-4a10-9bde-9023aecf01e0</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
</list>
|
|
|
|
| Re: imap authentication on frontend [message #121200 is a reply to message #121172] |
Mon, 11 May 2015 15:42 |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
From Webadmin I deleted IP Range and recreate it
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">10.0.0.0/255.0.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">f090491d-4246-4728-acb9-16cddf2262ac</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">192.168.0.0/255.255.0.0</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">da1b8aae-978d-45ad-b483-9eb881731a7c</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
Now they don't have the same Guid... but I keep the same error log 
(Yes I reboot server to "validate" conf).
Do you think the problem may come from the url yyy.yyy.yyy.yyyy/auth or front-end when it send information to backend ?
|
|
|
|
| Re: imap authentication on frontend [message #121201 is a reply to message #121200] |
Mon, 11 May 2015 16:02 |
Jakub Schwarzmeier, Kerio
Messages: 42
Registered: June 2010
|
|
|
|
Backend simply does not trust the frontend's IP address.
In Webadmin, try to remove all "Front-end nodes" IP ranges, create the group "Front-end nodes" and insert only a single IP address which is IP address of the frontend.
Enable Logs -> Debug -> Local Services -> Distributed domain (near the bottom of the list). Try to connect with IMAP client to frontend and observe logs again.
|
|
|
|
| Re: imap authentication on frontend [message #121204 is a reply to message #121172] |
Mon, 11 May 2015 18:18 |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
As you asked, I deleted all range IP in group "Front-end nodes" and add IP only (front-end server).
<listitem>
<variable name="Name">Front-end nodes</variable>
<variable name="Value">xxx.xxx.xxx.xxx</variable>
<variable name="Enabled">1</variable>
<variable name="Desc">Allows front-end authentication protocol access</variable>
<variable name="Guid">304f8114-8833-49c7-8f55-db6984fe0b71</variable >
<variable name="GroupGuid">a74ee767-03cc-4001-a885-aa4b19d5d1ea</variable >
</listitem>
After enable logs Distributed Domain Service I see nothing. There is no line which appears with log IMAP or Distributed Domain Service.
On the frontend nginx log I can see :
(yyy : backend IP
zzz : client IP
xxx : frontend IP)
2015/05/11 18:08:54 [error] 1916#0: *229 auth http server yyy.yyy.yyy.yyy:80 did not send server or port while in http auth state, client: zzz.zzz.zzz.zzz, server: 0.0.0.0:993, login: "ron"
On the backend log, I can see log only for HTTP (nothing for IMAP or Domain Distributed Service) :
[11/May/2015 18:08:54] {https} Task 39 handler BEGIN
[11/May/2015 18:08:54] {https} Task 39 handler starting
[11/May/2015 18:08:54] {https} HTTP connection from xxx.xxx.xxx.xxx:47906 started
[11/May/2015 18:08:54] {https} GET request for URI /auth
[11/May/2015 18:08:54] {https} User-Agent header:
[11/May/2015 18:08:54] {https} Search request for user home server is not allowed from the client ip address.
[11/May/2015 18:08:54] {https} Response: HTTP/1.1 403 Forbidden
[11/May/2015 18:08:54] {https} Request finished in 0.00 s, received 172 bytes, sent 255 bytes
[11/May/2015 18:08:54] {https} Task 39 handler END
Any other idea ?
Thanks for your help
|
|
|
|
|
|
|
|
|
|
|
|
| Re: imap authentication on frontend [message #121217 is a reply to message #121172] |
Tue, 12 May 2015 12:21 |
InfoLP
Messages: 8
Registered: May 2015
|
|
|
|
Hello,
After deploy a second backend :
[12/May/2015 12:16:56] {https} Task 2320 handler BEGIN
[12/May/2015 12:16:56] {https} Task 2320 handler starting
[12/May/2015 12:16:56] {https} HTTP connection from xxx.xxx.xxx.xxx:50922 started (from frontend network)
[12/May/2015 12:16:56] {https} GET request for URI /auth
[12/May/2015 12:16:56] {https} User-Agent header:
[12/May/2015 12:16:56] {https} Search request for users home server: used primary domain "lepoint.fr" for user "dmalfoy", original IP: "zzz.zzz.zzz.zzz"
[12/May/2015 12:16:56] {https} Search request for user home server: imap target server (zzz.zzz.zzz.zzz:143)
[12/May/2015 12:16:56] {https} Response: HTTP/1.1 200 OK
[12/May/2015 12:16:56] {https} Request finished in 0.00 s, received 176 bytes, sent 236 bytes
[12/May/2015 12:16:56] {https} Task 2320 handler END
So it is essential to have two backend for via proxy authentication works.
Thank you for your help
|
|
|
|
Members
Search
Help
Register
Login
Home
